Verifying liquidity of recursive Bitcoin contracts

TL;DR

This paper presents a verification method for liquidity in recursive Bitcoin smart contracts, transforming their semantics into a finite model to enable automated model-checking and prevent frozen assets.

Contribution

It introduces a novel verification technique for liquidity in BitML contracts by abstracting infinite-state semantics into finite models for automated analysis.

Findings

The verification method accurately detects liquidity issues in BitML contracts.

The toolchain successfully verifies liquidity on a benchmark suite of contracts.

Finite-state abstraction is sound for liquidity verification in recursive smart contracts.

Abstract

Smart contracts - computer protocols that regulate the exchange of crypto-assets in trustless environments - have become popular with the spread of blockchain technologies. A landmark security property of smart contracts is liquidity: in a non-liquid contract, it may happen that some assets remain frozen, i.e. not redeemable by anyone. The relevance of this issue is witnessed by recent liquidity attacks to Ethereum, which have frozen hundreds of USD millions. We address the problem of verifying liquidity on BitML, a DSL for smart contracts with a secure compiler to Bitcoin, featuring primitives for currency transfers, contract renegotiation and consensual recursion. Our main result is a verification technique for liquidity. We first transform the infinite-state semantics of BitML into a finite-state one, which focusses on the behaviour of a chosen set of contracts, abstracting from the moves of the context. With respect to the chosen contracts, this abstraction is sound, i.e. if the abstracted contract is liquid, then also the concrete one is such. We then verify liquidity by model-checking the finite-state abstraction. We implement a toolchain that automatically verifies liquidity of BitML contracts and compiles them to Bitcoin, and we assess it through a benchmark of representative contracts.